Help needed: Local source code startup CORS cross-domain 401 unauthorized

According to the documentation steps, start locally.

The frontend runs on Windows at 192.168.0.148, and the backend runs on the server at 192.168.0.149.

When accessing the login page, the console displays:

GET http://192.168.0.149:5001/console/api/account/profile 401 (UNAUTHORIZED)

POST http://192.168.0.149:5001/console/api/refresh-token 401 (UNAUTHORIZED)

The administrator account can be set up normally, but login fails.

After entering the account and password to log in, the page flashes briefly and then redirects back to the login page.

The server console shows multiple entries like: “POST /console/api/refresh-token HTTP/1.1” 401 -

Following the documentation, I modified the following settings in /api/.env:

WEB_API_CORS_ALLOW_ORIGINS=*
CONSOLE_CORS_ALLOW_ORIGINS=*

CONSOLE_API_URL

CONSOLE_WEB_URL

SERVICE_API_URL

APP_WEB_URL

FILES_URL

After restarting the services, the 401 error persists. Does anyone have experience successfully completing a local startup?

Im also experiencing that when deploying in Railway

I encountered the same issue, and it’s still unresolved. Seeking a solution.

This has been resolved.
It was resolved by using domain names, mapping them in the local hosts file.

192.168.1.188 console.dify.local
192.168.1.217 api.dify.local

My colleague did the same. The Dify configuration file supports configuring top-level domains. This means we both use subdomains, and after setting the top-level domain to dify.local, change the NEXT_PUBLIC_COOKIE_DOMAIN=1 configuration to 1, and then it can be called via the domain name.